CN106603427A - Method and device for realizing software bypass in firewall - Google Patents
Method and device for realizing software bypass in firewall Download PDFInfo
- Publication number
- CN106603427A CN106603427A CN201710036343.7A CN201710036343A CN106603427A CN 106603427 A CN106603427 A CN 106603427A CN 201710036343 A CN201710036343 A CN 201710036343A CN 106603427 A CN106603427 A CN 106603427A
- Authority
- CN
- China
- Prior art keywords
- current
- bypass
- software
- software bypass
- interfaces
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/29—Flow control; Congestion control using a combination of thresholds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and device for realizing software bypass in a firewall. The method comprises a step of judging whether a current network traffic flow is larger than or equal to a preset flow threshold, a step of calling a pre-packaged software bypass operation interface in a message receiving end function or an important safety service processing function if the current network traffic flow is larger than or equal to a preset flow threshold such that the software bypass operation interface obtains a current CPU use rate and a current network port receiving rate through calling a pre-packaged calculation interface and the software bypass is carried out between preset paired software bypass network ports according to a preset rule when the current CPU use rate and the current network port receiving rate are larger than a current hardware equipment platform safety service processing packet loss threshold value. According to the method and the device, the problem of network jam or disconnection caused by equipment packet loss when current network flow is large or the sudden traffic of a peak time appears and the current network flow reaches the maximum performance upper limit of the safety service processing of a firewall in the prior art is solved.
Description
Technical field
The present invention relates to realize the method and dress of software bypass in field of computer technology, more particularly to a kind of fire wall
Put.
Background technology
At present, Network Security Device be typically all apply between two or more networks, such as Intranet and outer net it
Between, the application program in Network Security Device can to carrying out Business Processing by his network package, after having processed according still further to
Certain routing rule forwards package, and if this Network Security Device occurs in that failure, such as power-off or deadlock
Afterwards, that to connect all network segments on this equipment also just out of touch each other, if requiring this when each network each other also
Need in connected state, then just must hardware bypass appear.
Hardware bypass, is exactly bypass functionality, can allow two networks by specific triggering state (power-off or deadlock)
Not by the system of Network Security Device, and directly physically turn on.So having after hardware Bypass, work as Network Security Device
After failure, can also allow the network mutual conduction being connected on this equipment and occur without suspension, certainly this when this
The network equipment also would not be processed again to the package in network.
But, hardware bypass just triggers (power-off or deadlock) under special scenes, allows two networks not pacify by network
The system of full equipment and directly physically turn on, hardware bypass mouths typically occur in pairs, and not all mouths of safety equipment are all
Bypass mouths, and general power port supports that optical port is not supported.With cloud computing and the arriving in big data epoch, the flow of existing network is got over
Come bigger.It is larger in the flow of existing network or when there is the sudden flow of peak period, if existing network flow reaches fire wall
The maximum performance upper limit that processes of safety service equipment packet loss then occurs, light then network interim card, heavy then suspension, now hardware
Bypass will not be triggered.
It is larger with the flow for solving existing network or the burst of peak period occur in consideration of it, how to realize software bypass
Property flow, and existing network flow reach fire wall safety service process the maximum performance upper limit occur equipment packet loss and cause net
Network interim card or the problem of suspension become the current technical issues that need to address.
The content of the invention
To solve above-mentioned technical problem, the present invention provides a kind of method and dress that software bypass is realized in fire wall
Put, can solve the problem that the flow of existing network in prior art is larger or the sudden flow of peak period occur, and existing network flow reaches
The equipment packet loss that occurs of the maximum performance upper limit that processes to the safety service of fire wall and cause the problem of network interim card or suspension.
In a first aspect, the present invention provides a kind of method that software bypass is realized in fire wall, including:
Judge existing network flow whether more than or equal to preset flow threshold value;
If existing network flow is more than or equal to preset flow threshold value, in message sink function or important safety Business Processing
The software bypass operate interfaces of advance encapsulation are called in function, the software bypass operate interfaces is made by calling envelope in advance
The calculating interface of dress obtains current CPU usage and current network interface receiving velocity, and connects in current CPU usage and current network interface
When receipts speed is all higher than Current hardware equipment platform safety service process packet loss pre-set threshold value, according to the report that preset rules will be received
Text carries out software bypass between the paired software bypass network interfaces for pre-setting.
Alternatively, it is described judge existing network flow whether more than or equal to preset flow threshold value before, methods described also includes:
In fire wall initial phase, according to Current hardware equipment network interface situation be arranged to software bypass network interfaces;
It is packaged for calculating the calculating interface of current CPU usage and current network interface receiving velocity;
Canned software bypass operate interfaces, the software bypass operate interfaces are used for by calling the calculating interface
Current CPU usage and current network interface receiving velocity are obtained, and is all higher than in current CPU usage and current network interface receiving velocity
When Current hardware equipment platform safety service processes packet loss pre-set threshold value, according to preset rules by the message for receiving set
Software bypass is carried out between paired software bypass network interfaces.
Alternatively, it is described in fire wall initial phase, according to hardware device network interface situation be arranged to software
Bypass network interfaces, including:
In fire wall initial phase, according to hardware device network interface situation be arranged to software bypass network interfaces, in institute
Increase in data structure net_device of each software bypass network interfaces for arranging and point to another software paired with it
The pointer to member of bypass network interfaces.
Alternatively, the calculating interface is calculated and obtains current CPU by reading cpu instruction periodicity or accumulated running time
Utilization rate.
Alternatively, the interface that calculates obtains current network interface receiving velocity by the packet receiving number in the unit of account time.
Alternatively, it is described to be all higher than Current hardware equipment platform peace in current CPU usage and current network interface receiving velocity
When full-service processes packet loss pre-set threshold value, according to preset rules by the message of reception in the paired software bypass for pre-setting
Software bypass is carried out between network interface, including:
The process of Current hardware equipment platform safety service is all higher than in current CPU usage and current network interface receiving velocity to lose
During bag pre-set threshold value, detect whether there is the forwarding preset ratio that user pre-enters;
It is if being not detected by the forwarding preset ratio that user pre-enters, the message of reception is paired what is pre-set
Whole software bypass are carried out between software bypass network interfaces;
If detecting the forwarding preset ratio that user pre-enters, according to the forwarding preset ratio, the report that will be received
Text carries out partial software bypass between the paired software bypass network interfaces for pre-setting.
Alternatively, it is described according to the forwarding preset ratio, by the message of reception in the paired software for pre-setting
Partial software bypass is carried out between bypass network interfaces, including:
The message of preset ratio is forwarded described in message by reception in the paired software bypass network interfaces for pre-setting
Between direct drive forwarding, remaining message performs security industry in addition to the message of direct drive forwarding in the message that will be received
Business is processed.
Second aspect, the present invention provides the device that software bypass is realized in a kind of fire wall, including:
Judge module, for judging existing network flow whether more than or equal to preset flow threshold value;
Calling module, if being more than or equal to preset flow threshold value for existing network flow, in message sink function or weight
Want safety service to process the software bypass operate interfaces that advance encapsulation is called in function, make the software bypass operate interfaces
Current CPU usage and current network interface receiving velocity are obtained by calling the calculating interface of advance encapsulation, and is used in current CPU
When rate and current network interface receiving velocity are all higher than Current hardware equipment platform safety service process packet loss pre-set threshold value, according to default
The message of reception is carried out software bypass by rule between the paired software bypass network interfaces for pre-setting.
Alternatively, described device also includes:
Setup module, in fire wall initial phase, according to Current hardware equipment network interface situation be arranged to it is soft
Part bypass network interfaces;
First package module, the calculating for being packaged for calculating current CPU usage and current network interface receiving velocity connects
Mouthful;
Second package module, for canned software bypass operate interfaces, the software bypass operate interfaces are used to lead to
Cross and call the calculating interface to obtain current CPU usage and current network interface receiving velocity, and in current CPU usage and currently
When network interface receiving velocity is all higher than Current hardware equipment platform safety service process packet loss pre-set threshold value, will connect according to preset rules
The message of receipts carries out software bypass between set paired software bypass network interfaces.
Alternatively, the calling module, specifically for
If existing network flow is more than or equal to preset flow threshold value, in message sink function or important safety Business Processing
The software bypass operate interfaces of advance encapsulation are called in function, the software bypass operate interfaces is made by calling envelope in advance
The calculating interface of dress obtains current CPU usage and current network interface receiving velocity, and connects in current CPU usage and current network interface
When receiving speed and being all higher than Current hardware equipment platform safety service and process packet loss pre-set threshold value, detect whether to there is user defeated in advance
The forwarding preset ratio for entering;
It is if being not detected by the forwarding preset ratio that user pre-enters, the message of reception is paired what is pre-set
Whole software bypass are carried out between software bypass network interfaces;
If detecting the forwarding preset ratio that user pre-enters, according to the forwarding preset ratio, the report that will be received
Text carries out partial software bypass between the paired software bypass network interfaces for pre-setting.
As shown from the above technical solution, the method and device of software bypass is realized in fire wall of the invention, by sentencing
Whether disconnected existing network flow is more than or equal to preset flow threshold value, if existing network flow is more than or equal to preset flow threshold value, in message
The software bypass operate interfaces of advance encapsulation are called in receiving terminal function or important safety Business Processing function, the software is made
Bypass operate interfaces obtain current CPU usage and current network interface receiving velocity by calling the calculating interface of advance encapsulation,
And it is default to be all higher than Current hardware equipment platform safety service process packet loss in current CPU usage and current network interface receiving velocity
During threshold values, the message of reception is carried out into software between the paired software bypass network interfaces for pre-setting according to preset rules
Bypass, thereby, it is possible to solve prior art in it is larger or the sudden flow of peak period occur in the flow of existing network, and
Existing network flow reach fire wall safety service process the maximum performance upper limit occur equipment packet loss and cause network interim card or
The problem of suspension, it is possible to reduce the system resource that the process of partial service flow takes, it is ensured that fire wall is tried one's best as safety equipment
Occur packet loss or cutout situation less, prevent the existing network network environment occurred because reaching the fire wall performance upper limit under large traffic environment
Interim card or offline condition occur, and affect Consumer's Experience and normally use network.
Description of the drawings
The flow process that the method for software bypass is realized in a kind of fire wall that Fig. 1 is provided for one embodiment of the invention is illustrated
Figure;
The structural representation of the device of software bypass is realized in a kind of fire wall that Fig. 2 is provided for one embodiment of the invention
Figure.
Specific embodiment
To make purpose, technical scheme and the advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, clear, complete description is carried out to the technical scheme in the embodiment of the present invention, it is clear that described embodiment is only
Only it is a part of embodiment of the invention, rather than the embodiment of whole.Based on embodiments of the invention, ordinary skill people
The every other embodiment that member is obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
Fig. 1 shows that the flow process of the method that software bypass is realized in the fire wall that one embodiment of the invention is provided is illustrated
Figure, as shown in figure 1, realizing that the method for software bypass is as described below in the fire wall of the present embodiment.
101st, judge existing network flow whether more than or equal to preset flow threshold value.
In a particular application, the preset flow threshold value can be set previously according to the concrete condition of current firewall
Put, the present embodiment is not limited.
In a particular application, before the step 101, the present embodiment methods described also include figure not shown in the step of
S1-S3:
S1, in fire wall initial phase, according to Current hardware equipment network interface situation be arranged to software bypass nets
Mouthful.
Specifically, step S1 may particularly include:
In fire wall initial phase, according to hardware device network interface situation be arranged to software bypass network interfaces (for example:
Network interface eth0&eth1 or network interface eth2&eth3 etc.), in data structure net_ of set each software bypass network interfaces
Increase (pstSoftBypassDev) pointer to member for another software bypass network interfaces for pointing to paired with it in device.
S2, it is packaged for calculating the calculating interface of current CPU usage and current network interface receiving velocity.
In a particular application, the calculating interface can read cpu instruction periodicity and calculate by (instructing using rdtsc)
Current CPU usage is obtained, or, the accumulated running time (/proc/stat) that can pass through to read CPU calculates the current CPU of acquisition
Utilization rate.
In a particular application, it is described to calculate the current network interface reception of packet receiving number acquisition that interface pass through in the unit of account time
Speed.
It is understood that interface is calculated described in the present embodiment can also calculate current CPU usage using additive method
With current network interface receiving velocity, the present embodiment is not limited.
S3, canned software bypass operate interfaces, the software bypass operate interfaces are used for by calling the calculating
Interface obtains current CPU usage and current network interface receiving velocity, and equal in current CPU usage and current network interface receiving velocity
When processing packet loss pre-set threshold value more than Current hardware equipment platform safety service, according to preset rules by the message for receiving set
Software bypass is carried out between the paired software bypass network interfaces put.
It is understood that the outgoing interface of software bypass can be according to the number of set paired software bypass network interfaces
Obtain according to (pstSoftBypassDev) pointer to member of the sensing other side's network interface preserved each other in structure net_device.
It should be noted that, different hardware equipment platform safety Business Processing packet loss pre-set threshold value and forwarding preset ratio can roots
Flow being beaten according to tester to measure, such as starting packet loss occur in much receiving velocities or much CPU usages, value now is
For the hardware device platform safety Business Processing packet loss pre-set threshold value;Such as no longer lose for how many whens in setting forwarding preset ratio
Bag, value now as forwards preset ratio;In the present embodiment, can be pre-set by the order line of receiving user's input
Current hardware equipment platform safety service processes packet loss pre-set threshold value and forwarding preset ratio.
If the 102, existing network flow is more than or equal to preset flow threshold value, in message sink function or important safety business
The software bypass operate interfaces that advance encapsulation is called in function are processed, makes the software bypass operate interfaces pre- by calling
The calculating interface for first encapsulating obtains current CPU usage and current network interface receiving velocity, and in current CPU usage and current net
When mouth receiving velocity is all higher than Current hardware equipment platform safety service process packet loss pre-set threshold value, will receive according to preset rules
Message carry out software bypass between the paired software bypass network interfaces for pre-setting.
In a particular application, " being all higher than in current CPU usage and current network interface receiving velocity in the step 102
When Current hardware equipment platform safety service processes packet loss pre-set threshold value, the message of reception is being pre-set according to preset rules
Paired software bypass network interfaces between carry out software bypass ", can specifically include:
The process of Current hardware equipment platform safety service is all higher than in current CPU usage and current network interface receiving velocity to lose
During bag pre-set threshold value, detect whether there is the forwarding preset ratio that user pre-enters;
It is if being not detected by the forwarding preset ratio that user pre-enters, the message of reception is paired what is pre-set
Whole software bypass are carried out between software bypass network interfaces;
If detecting the forwarding preset ratio that user pre-enters, according to the forwarding preset ratio, the report that will be received
Text carries out partial software bypass between the paired software bypass network interfaces for pre-setting.
Wherein, it is described according to the forwarding preset ratio, by the message of reception in the paired software for pre-setting
Partial software bypass is carried out between bypass network interfaces, be may particularly include:
The message of preset ratio is forwarded described in message by reception in the paired software bypass network interfaces for pre-setting
Between direct drive forwarding, remaining message performs security industry in addition to the message of direct drive forwarding in the message that will be received
Business is processed.
The method that software bypass is realized in the fire wall of the present embodiment, by judging existing network flow whether more than or equal to pre-
If flow threshold, if existing network flow is more than or equal to preset flow threshold value, in message sink function or important safety business
The software bypass operate interfaces that advance encapsulation is called in function are processed, makes the software bypass operate interfaces pre- by calling
The calculating interface for first encapsulating obtains current CPU usage and current network interface receiving velocity, and in current CPU usage and current net
When mouth receiving velocity is all higher than Current hardware equipment platform safety service process packet loss pre-set threshold value, will receive according to preset rules
Message carry out software bypass between the paired software bypass network interfaces for pre-setting, thereby, it is possible to solve existing skill
Flow in art in existing network is larger or the sudden flow of peak period occur, and existing network flow reaches the security industry of fire wall
The equipment packet loss that occurs of the maximum performance upper limit that business is processed and cause the problem of network interim card or suspension, it is possible to reduce partial service
The system resource that flow process takes, it is ensured that fire wall packet loss or cutout situation occurs less as far as possible as safety equipment, prevents big
The existing network network environment interim card occurred because reaching the fire wall performance upper limit under traffic environment or offline condition occur, and affect to use
Experience and normally use network in family.
Fig. 2 shows that the structure of the device that software bypass is realized in a kind of fire wall that one embodiment of the invention is provided is shown
It is intended to, as shown in Fig. 2 the device of software bypass is realized in the fire wall of the present embodiment, including:Judge module 21 and call mould
Block 22;Wherein:
Judge module 21, for judging existing network flow whether more than or equal to preset flow threshold value;
Calling module 22, if being more than or equal to preset flow threshold value for existing network flow, in message sink function or
The software bypass operate interfaces of advance encapsulation are called in important safety Business Processing function, the software bypass operations are connect
Mouth obtains current CPU usage and current network interface receiving velocity by calling the calculating interface of advance encapsulation, and makes in current CPU
When being all higher than Current hardware equipment platform safety service process packet loss pre-set threshold value with rate and current network interface receiving velocity, according to pre-
If the message of reception is carried out software bypass by rule between the paired software bypass network interfaces for pre-setting.
In a particular application, the preset flow threshold value can be set previously according to the concrete condition of current firewall
Put, the present embodiment is not limited.
In a particular application, the present embodiment described device can also be included not shown in figure:
Setup module, in fire wall initial phase, according to Current hardware equipment network interface situation be arranged to it is soft
Part bypass network interfaces;
First package module, the calculating for being packaged for calculating current CPU usage and current network interface receiving velocity connects
Mouthful;
Second package module, for canned software bypass operate interfaces, the software bypass operate interfaces are used to lead to
Cross and call the calculating interface to obtain current CPU usage and current network interface receiving velocity, and in current CPU usage and currently
When network interface receiving velocity is all higher than Current hardware equipment platform safety service process packet loss pre-set threshold value, will connect according to preset rules
The message of receipts carries out software bypass between set paired software bypass network interfaces.
In a particular application, the calculating interface can read cpu instruction periodicity and calculate by (instructing using rdtsc)
Current CPU usage is obtained, or, the accumulated running time (/proc/stat) that can pass through to read CPU calculates the current CPU of acquisition
Utilization rate.
In a particular application, it is described to calculate the current network interface reception of packet receiving number acquisition that interface pass through in the unit of account time
Speed.
It is understood that interface is calculated described in the present embodiment can also calculate current CPU usage using additive method
With current network interface receiving velocity, the present embodiment is not limited.
It should be noted that, different hardware equipment platform safety Business Processing packet loss pre-set threshold value and forwarding preset ratio can roots
Flow being beaten according to tester to measure, such as starting packet loss occur in much receiving velocities or much CPU usages, value now is
For the hardware device platform safety Business Processing packet loss pre-set threshold value;Such as no longer lose for how many whens in setting forwarding preset ratio
Bag, value now as forwards preset ratio;In the present embodiment, can be pre-set by the order line of receiving user's input
Current hardware equipment platform safety service processes packet loss pre-set threshold value and forwarding preset ratio.
In a particular application, the calling module 22, can be specifically for
If existing network flow is more than or equal to preset flow threshold value, in message sink function or important safety Business Processing
The software bypass operate interfaces of advance encapsulation are called in function, the software bypass operate interfaces is made by calling envelope in advance
The calculating interface of dress obtains current CPU usage and current network interface receiving velocity, and connects in current CPU usage and current network interface
When receiving speed and being all higher than Current hardware equipment platform safety service and process packet loss pre-set threshold value, detect whether to there is user defeated in advance
The forwarding preset ratio for entering;
It is if being not detected by the forwarding preset ratio that user pre-enters, the message of reception is paired what is pre-set
Whole software bypass are carried out between software bypass network interfaces;
If detecting the forwarding preset ratio that user pre-enters, according to the forwarding preset ratio, the report that will be received
Text carries out partial software bypass between the paired software bypass network interfaces for pre-setting.
Wherein, according to the forwarding preset ratio, by the message of reception in the paired software bypass nets for pre-setting
Partial software bypass is carried out between mouthful, be may particularly include:
The message of preset ratio is forwarded described in message by reception in the paired software bypass network interfaces for pre-setting
Between direct drive forwarding, remaining message performs security industry in addition to the message of direct drive forwarding in the message that will be received
Business is processed.
The device of software bypass is realized in the fire wall of the present embodiment, be can solve the problem that in prior art in the flow of existing network
Sudden flow that is larger or that peak period occur, and existing network flow reaches the maximum performance that the safety service of fire wall is processed
Equipment packet loss that the upper limit occurs and cause the problem of network interim card or suspension, it is possible to reduce what the process of partial service flow took is
System resource, it is ensured that fire wall packet loss or cutout situation occurs less as far as possible as safety equipment, prevents under large traffic environment because reaching
The fire wall performance upper limit and the existing network network environment interim card that occurs or offline condition occur, and affect Consumer's Experience and normally use
Network.
The device of software bypass is realized in the fire wall of the present embodiment, can be used for performing the skill of preceding method embodiment
Art scheme, it realizes that principle is similar with technique effect, and here is omitted.
Those skilled in the art are it should be appreciated that embodiments herein can be provided as method, system or computer program
Product.Therefore, the application can be using complete hardware embodiment, complete software embodiment or with reference to the reality in terms of software and hardware
Apply the form of example.And, the application can be adopted and wherein include the computer of computer usable program code at one or more
The computer program implemented in usable storage medium (including but not limited to disk memory, CD-ROM, optical memory etc.) is produced
The form of product.
The application is the flow process with reference to method, equipment (system) and computer program according to the embodiment of the present application
Figure and/or block diagram are describing.It should be understood that can be by computer program instructions flowchart and/or each stream in block diagram
The combination of journey and/or square frame and flow chart and/or the flow process in block diagram and/or square frame.These computer programs can be provided
The processor of general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce
A raw machine so that produced for reality by the instruction of computer or the computing device of other programmable data processing devices
The device of the function of specifying in present one flow process of flow chart or one square frame of multiple flow processs and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in can guide computer or other programmable data processing devices with spy
In determining the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory is produced to be included referring to
Make the manufacture of device, the command device realize in one flow process of flow chart or one square frame of multiple flow processs and/or block diagram or
The function of specifying in multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing devices so that in meter
Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented process, so as in computer or
The instruction performed on other programmable devices is provided for realizing in one flow process of flow chart or multiple flow processs and/or block diagram one
The step of function of specifying in individual square frame or multiple square frames.
It should be noted that herein, such as first and second or the like relational terms are used merely to a reality
Body or operation make a distinction with another entity or operation, and not necessarily require or imply these entities or deposit between operating
In any this actual relation or order.And, term " including ", "comprising" or its any other variant are intended to
Nonexcludability is included, so that a series of process, method, article or equipment including key elements not only will including those
Element, but also including other key elements being not expressly set out, or also include for this process, method, article or equipment
Intrinsic key element.In the absence of more restrictions, the key element for being limited by sentence "including a ...", it is not excluded that
Also there is other identical element in process, method, article or equipment including the key element.Term " on ", D score etc. refers to
The orientation or position relationship for showing is, based on orientation shown in the drawings or position relationship, to be for only for ease of the description present invention and simplify
Description, rather than indicate or imply that the device or element of indication must be with specific orientation, with specific azimuth configuration and behaviour
Make, therefore be not considered as limiting the invention.Unless otherwise clearly defined and limited, term " installation ", " connected ",
" connection " should be interpreted broadly, for example, it may be being fixedly connected, or being detachably connected, or be integrally connected;Can be
It is mechanically connected, or electrically connects;Can be joined directly together, it is also possible to be indirectly connected to by intermediary, can be two
The connection of element internal.For the ordinary skill in the art, can as the case may be understand above-mentioned term at this
Concrete meaning in invention.
In the description of the present invention, a large amount of details are illustrated.Although it is understood that, embodiments of the invention can
To put into practice in the case of without these details.In some instances, known method, structure and skill is not been shown in detail
Art, so as not to obscure the understanding of this description.Similarly, it will be appreciated that disclose and help understand each to simplify the present invention
One or more in individual inventive aspect, above in the description of the exemplary embodiment of the present invention, each of the present invention is special
Levy and be grouped together into sometimes in single embodiment, figure or descriptions thereof.However, should not be by the method solution of the disclosure
Release in the following intention of reflection:The feature that i.e. the present invention for required protection requirement ratio is expressly recited in each claim is more
Many features.More precisely, as the following claims reflect, inventive aspect is less than single reality disclosed above
Apply all features of example.Therefore, it then follows thus claims of specific embodiment are expressly incorporated in the specific embodiment,
Wherein each claim itself is used as separate embodiments of the invention.It should be noted that in the case where not conflicting, this
The feature in embodiment and embodiment in application can be mutually combined.Any single aspect is the invention is not limited in,
Any single embodiment is not limited to, combination in any and/or the displacement of these aspects and/or embodiment is also not limited to.And
And, can be used alone the present invention each aspect and/or embodiment or with it is one or more other aspect and/or its enforcement
Example is used in combination.
Finally it should be noted that:Various embodiments above only to illustrate technical scheme, rather than a limitation;To the greatest extent
Pipe has been described in detail with reference to foregoing embodiments to the present invention, it will be understood by those within the art that:Its according to
So the technical scheme described in foregoing embodiments can be modified, either which part or all technical characteristic are entered
Row equivalent;And these modifications or replacement, do not make the essence disengaging various embodiments of the present invention technology of appropriate technical solution
The scope of scheme, it all should cover in the middle of the claim of the present invention and the scope of description.
Claims (10)
1. a kind of method that software bypass is realized in fire wall, it is characterised in that include:
Judge existing network flow whether more than or equal to preset flow threshold value;
If existing network flow is more than or equal to preset flow threshold value, in message sink function or important safety Business Processing function
In call the software bypass operate interfaces of advance encapsulation, make the software bypass operate interfaces by calling advance encapsulation
Calculate interface and obtain current CPU usage and current network interface receiving velocity, and speed is received in current CPU usage and current network interface
When rate is all higher than Current hardware equipment platform safety service process packet loss pre-set threshold value, the message for receiving is existed according to preset rules
Software bypass is carried out between the paired software bypass network interfaces for pre-setting.
2. method according to claim 1, it is characterised in that judge existing network flow whether more than or equal to default stream described
Before amount threshold value, methods described also includes:
In fire wall initial phase, according to Current hardware equipment network interface situation be arranged to software bypass network interfaces;
It is packaged for calculating the calculating interface of current CPU usage and current network interface receiving velocity;
Canned software bypass operate interfaces, the software bypass operate interfaces are used to be obtained by calling the calculating interface
Current CPU usage and current network interface receiving velocity, and be all higher than currently in current CPU usage and current network interface receiving velocity
During hardware device platform safety Business Processing packet loss pre-set threshold value, according to preset rules by the message for receiving set paired
Software bypass network interfaces between carry out software bypass.
3. method according to claim 2, it is characterised in that described in fire wall initial phase, according to hardware device
Network interface situation be arranged to software bypass network interfaces, including:
In fire wall initial phase, according to hardware device network interface situation be arranged to software bypass network interfaces, set
Each software bypass network interfaces data structure net_device in increase and point to another software paired with it
The pointer to member of bypass network interfaces.
4. method according to claim 2, it is characterised in that the calculating interface by read cpu instruction periodicity or
Accumulated running time calculates and obtains current CPU usage.
5. method according to claim 2, it is characterised in that the calculating interface is by the packet receiving in the unit of account time
Number obtains current network interface receiving velocity.
6. method according to claim 1, it is characterised in that described to receive speed in current CPU usage and current network interface
When rate is all higher than Current hardware equipment platform safety service process packet loss pre-set threshold value, the message for receiving is existed according to preset rules
Software bypass is carried out between the paired software bypass network interfaces for pre-setting, including:
It is pre- Current hardware equipment platform safety service process packet loss to be all higher than in current CPU usage and current network interface receiving velocity
If during threshold values, detecting whether there is the forwarding preset ratio that user pre-enters;
If the forwarding preset ratio that user pre-enters is not detected by, by the message of reception in the paired software for pre-setting
Whole software bypass are carried out between bypass network interfaces;
If detecting the forwarding preset ratio that user pre-enters, according to the forwarding preset ratio, the message for receiving is existed
Partial software bypass is carried out between the paired software bypass network interfaces for pre-setting.
7. method according to claim 6, it is characterised in that described according to the forwarding preset ratio, the report that will be received
Text carries out partial software bypass between the paired software bypass network interfaces for pre-setting, including:
The message of forwarding preset ratio described in the message by reception is between the paired software bypass network interfaces for pre-setting
Direct drive forwarding, remaining message is performed at safety service in addition to the message of direct drive forwarding in the message that will be received
Reason.
8. the device of software bypass is realized in a kind of fire wall, it is characterised in that included:
Judge module, for judging existing network flow whether more than or equal to preset flow threshold value;
Calling module, if being more than or equal to preset flow threshold value for existing network flow, in message sink function or important peace
Full-service processes the software bypass operate interfaces that advance encapsulation is called in function, passes through the software bypass operate interfaces
The calculating interface for calling advance encapsulation obtains current CPU usage and current network interface receiving velocity, and in current CPU usage and
When current network interface receiving velocity is all higher than Current hardware equipment platform safety service process packet loss pre-set threshold value, according to preset rules
The message of reception is carried out into software bypass between the paired software bypass network interfaces for pre-setting.
9. device according to claim 8, it is characterised in that described device also includes:
Setup module, in fire wall initial phase, according to Current hardware equipment network interface situation be arranged to software
Bypass network interfaces;
First package module, for being packaged for calculating the calculating interface of current CPU usage and current network interface receiving velocity;
Second package module, for canned software bypass operate interfaces, the software bypass operate interfaces are used for by adjusting
Current CPU usage and current network interface receiving velocity are obtained with the calculating interface, and in current CPU usage and current network interface
Receiving velocity be all higher than Current hardware equipment platform safety service process packet loss pre-set threshold value when, according to preset rules by receive
Message carries out software bypass between set paired software bypass network interfaces.
10. device according to claim 9, it is characterised in that the calling module, specifically for
If existing network flow is more than or equal to preset flow threshold value, in message sink function or important safety Business Processing function
In call the software bypass operate interfaces of advance encapsulation, make the software bypass operate interfaces by calling advance encapsulation
Calculate interface and obtain current CPU usage and current network interface receiving velocity, and speed is received in current CPU usage and current network interface
When rate is all higher than Current hardware equipment platform safety service process packet loss pre-set threshold value, detect whether there is what user pre-entered
Forwarding preset ratio;
If the forwarding preset ratio that user pre-enters is not detected by, by the message of reception in the paired software for pre-setting
Whole software bypass are carried out between bypass network interfaces;
If detecting the forwarding preset ratio that user pre-enters, according to the forwarding preset ratio, the message for receiving is existed
Partial software bypass is carried out between the paired software bypass network interfaces for pre-setting.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710036343.7A CN106603427A (en) | 2017-01-17 | 2017-01-17 | Method and device for realizing software bypass in firewall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710036343.7A CN106603427A (en) | 2017-01-17 | 2017-01-17 | Method and device for realizing software bypass in firewall |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106603427A true CN106603427A (en) | 2017-04-26 |
Family
ID=58586130
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710036343.7A Pending CN106603427A (en) | 2017-01-17 | 2017-01-17 | Method and device for realizing software bypass in firewall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106603427A (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108965237A (en) * | 2017-05-17 | 2018-12-07 | 通用电气公司 | Network firewall system and corresponding method and non-transitory computer-readable medium |
| CN109561083A (en) * | 2018-11-20 | 2019-04-02 | 杭州迪普科技股份有限公司 | Method, apparatus, equipment and the storage medium of bypass processing |
| CN110113268A (en) * | 2019-04-26 | 2019-08-09 | 新华三技术有限公司合肥分公司 | Flow control methods, device and server |
| WO2019185013A1 (en) * | 2018-03-30 | 2019-10-03 | 新华三技术有限公司 | Message forwarding |
| CN110648535A (en) * | 2019-09-26 | 2020-01-03 | 国家计算机网络与信息安全管理中心 | Rail transit data reporting method and device based on traffic bypass acquisition |
| CN110798342A (en) * | 2019-10-14 | 2020-02-14 | 杭州迪普科技股份有限公司 | Method and device for realizing bypass mode based on software |
| CN110995694A (en) * | 2019-11-28 | 2020-04-10 | 新华三半导体技术有限公司 | Network message detection method, device, network security equipment and storage medium |
| CN111277509A (en) * | 2020-01-13 | 2020-06-12 | 奇安信科技集团股份有限公司 | Flow guiding method and device for IPS engine |
| CN111641946A (en) * | 2017-11-07 | 2020-09-08 | Oppo广东移动通信有限公司 | Method for processing data, network device and computer storage medium |
| CN112231107A (en) * | 2020-10-28 | 2021-01-15 | 新华三信息安全技术有限公司 | Message speed limiting system, method, equipment and medium of firewall |
| CN112311765A (en) * | 2020-09-29 | 2021-02-02 | 新华三信息安全技术有限公司 | Message detection method and device |
| CN113691517A (en) * | 2021-08-17 | 2021-11-23 | 北京天融信网络安全技术有限公司 | Communication management method, device, equipment and medium for bypass |
| CN113691536A (en) * | 2021-08-25 | 2021-11-23 | 北京天融信网络安全技术有限公司 | Message processing method and device, electronic equipment and readable storage medium |
| CN113992596A (en) * | 2021-10-18 | 2022-01-28 | 北京沃东天骏信息技术有限公司 | Interface current limiting method, device, equipment, system and storage medium |
| US11317291B2 (en) | 2018-03-15 | 2022-04-26 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Data processing method, access network device, and core network device |
-
2017
- 2017-01-17 CN CN201710036343.7A patent/CN106603427A/en active Pending
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10469386B2 (en) * | 2017-05-17 | 2019-11-05 | General Electric Company | Network shunt with bypass |
| CN108965237A (en) * | 2017-05-17 | 2018-12-07 | 通用电气公司 | Network firewall system and corresponding method and non-transitory computer-readable medium |
| CN111641946B (en) * | 2017-11-07 | 2022-01-28 | Oppo广东移动通信有限公司 | Method for processing data, network device and computer storage medium |
| CN111641946A (en) * | 2017-11-07 | 2020-09-08 | Oppo广东移动通信有限公司 | Method for processing data, network device and computer storage medium |
| US11317291B2 (en) | 2018-03-15 | 2022-04-26 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Data processing method, access network device, and core network device |
| US11722899B2 (en) | 2018-03-15 | 2023-08-08 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Data processing method, access network device, and core network device |
| WO2019185013A1 (en) * | 2018-03-30 | 2019-10-03 | 新华三技术有限公司 | Message forwarding |
| CN109561083A (en) * | 2018-11-20 | 2019-04-02 | 杭州迪普科技股份有限公司 | Method, apparatus, equipment and the storage medium of bypass processing |
| CN110113268B (en) * | 2019-04-26 | 2022-04-08 | 新华三技术有限公司合肥分公司 | Flow control method and device and server |
| CN110113268A (en) * | 2019-04-26 | 2019-08-09 | 新华三技术有限公司合肥分公司 | Flow control methods, device and server |
| CN110648535A (en) * | 2019-09-26 | 2020-01-03 | 国家计算机网络与信息安全管理中心 | Rail transit data reporting method and device based on traffic bypass acquisition |
| CN110798342A (en) * | 2019-10-14 | 2020-02-14 | 杭州迪普科技股份有限公司 | Method and device for realizing bypass mode based on software |
| CN110995694B (en) * | 2019-11-28 | 2021-10-12 | 新华三半导体技术有限公司 | Network message detection method, device, network security equipment and storage medium |
| CN110995694A (en) * | 2019-11-28 | 2020-04-10 | 新华三半导体技术有限公司 | Network message detection method, device, network security equipment and storage medium |
| CN111277509B (en) * | 2020-01-13 | 2023-12-05 | 奇安信科技集团股份有限公司 | Flow guiding method and device for IPS engine |
| CN111277509A (en) * | 2020-01-13 | 2020-06-12 | 奇安信科技集团股份有限公司 | Flow guiding method and device for IPS engine |
| CN112311765A (en) * | 2020-09-29 | 2021-02-02 | 新华三信息安全技术有限公司 | Message detection method and device |
| CN112231107A (en) * | 2020-10-28 | 2021-01-15 | 新华三信息安全技术有限公司 | Message speed limiting system, method, equipment and medium of firewall |
| CN112231107B (en) * | 2020-10-28 | 2023-06-30 | 新华三信息安全技术有限公司 | Message speed limiting system, method, equipment and medium of firewall |
| CN113691517B (en) * | 2021-08-17 | 2022-11-08 | 北京天融信网络安全技术有限公司 | Communication management method, device, equipment and medium for bypass |
| CN113691517A (en) * | 2021-08-17 | 2021-11-23 | 北京天融信网络安全技术有限公司 | Communication management method, device, equipment and medium for bypass |
| CN113691536A (en) * | 2021-08-25 | 2021-11-23 | 北京天融信网络安全技术有限公司 | Message processing method and device, electronic equipment and readable storage medium |
| CN113992596A (en) * | 2021-10-18 | 2022-01-28 | 北京沃东天骏信息技术有限公司 | Interface current limiting method, device, equipment, system and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106603427A (en) | Method and device for realizing software bypass in firewall | |
| US9992117B2 (en) | Network apparatus, communication system, abnormal traffic detection method, and program | |
| CN108023829B (en) | Message processing method and device, storage medium and electronic equipment | |
| CN104796329B (en) | A kind of link automatic switching method and device | |
| CN102255910A (en) | Method and device for testing performance of intrusion prevention product | |
| CN101188527A (en) | A heartbeat detection method and device | |
| CN106533736A (en) | Network device reboot method and apparatus | |
| CN102523113B (en) | Chip realization method for MEP configuration on cross-chip aggregated link in Ethernet network OAM and chip realization system | |
| CN105527564B (en) | FPGA built-in functions self-diagnosing method and system | |
| CN107872370A (en) | A kind of Ethernet interface loop quick determination method | |
| CN105068880A (en) | Device resetting method based on watchdog | |
| CN106878164A (en) | A kind of message transmitting method and device | |
| CN106789264A (en) | The method and apparatus that a kind of link aggregation group passage is switched fast | |
| GB2532054A (en) | NC-SI port controller | |
| WO2020238747A1 (en) | Serial port output path switching method, system and apparatus, and switch | |
| CN106411863A (en) | Virtualization platform for processing network traffic of virtual switches in real time | |
| US11258666B2 (en) | Method, device, and system for implementing MUX machine | |
| CN107547430A (en) | A kind of file transmitting method and device | |
| CN102611499A (en) | Method for realizing ODUK (Optical Channel Data Unit) protection switching by crossed disc of OTN (Optical Transport Network) equipment | |
| US20130148510A1 (en) | System and method for preventing intrusion of abnormal gtp packet | |
| CN103248536A (en) | PW detection method and equipment for virtual link | |
| CN106506265B (en) | Detection fpga chip hangs dead method and device | |
| CN109039761B (en) | Method and device for processing fault link in cluster control channel | |
| CN104486262B (en) | Dying Gasp control method and device are realized based on exchanger chip | |
| CN105224426A (en) | Physical host fault detection method, device and empty machine management method, system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |